rpz

Response policy zone (RPZ) file generator.
git clone https://git.philomathiclife.com/repos/rpz
Log | Files | Refs | README

commit 8fd8669d36e9f422beae4ce39a643490d6202010
parent f0300128db19bf86fa0d7f91906956ed0529398c
Author: Zack Newman <zack@philomathiclife.com>
Date:   Wed,  8 May 2024 12:54:27 -0600

openbsd requires dns pledge now

Diffstat:
MCargo.toml | 17+++++------------
Dbuild.rs | 12------------
Msrc/lib.rs | 2+-
Msrc/main.rs | 2+-
Msrc/priv_sep.rs | 22++++++++++------------
5 files changed, 17 insertions(+), 38 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml @@ -9,7 +9,7 @@ license = "MIT OR Apache-2.0" name = "rpz" readme = "README.md" repository = "https://git.philomathiclife.com/repos/rpz/" -version = "0.6.1" +version = "0.6.2" [lib] name = "rpz" @@ -21,11 +21,11 @@ path = "src/main.rs" [dependencies] ascii_domain = { version = "0.6.1", default-features = false } -num-bigint = { version = "0.4.4", default-features = false } -reqwest = { version = "0.12.2", default-features = false, features = ["brotli", "deflate", "gzip", "rustls-tls-native-roots", "trust-dns"] } -serde = { version = "1.0.197", default-features = false } +num-bigint = { version = "0.4.5", default-features = false } +reqwest = { version = "0.12.4", default-features = false, features = ["brotli", "deflate", "gzip", "rustls-tls-native-roots", "trust-dns"] } +serde = { version = "1.0.201", default-features = false } superset_map = { version = "0.2.3", default-features = false } -tokio = { version = "1.36.0", default-features = false, features = ["rt", "time"] } +tokio = { version = "1.37.0", default-features = false, features = ["rt", "time"] } toml = { version = "0.8.12", default-features = false, features = ["parse"] } url = { version = "2.5.0", default-features = false, features = ["serde"] } zfc = { version = "0.3.2", default-features = false } @@ -33,17 +33,10 @@ zfc = { version = "0.3.2", default-features = false } [target.'cfg(target_os = "openbsd")'.dependencies] priv_sep = { version = "1.0.1", default-features = false, features = ["openbsd"], optional = true } -[build-dependencies] -rustc_version = "0.4.0" - [features] priv_sep = ["dep:priv_sep"] default = ["priv_sep"] -[package.metadata.docs.rs] -all-features = true -rustdoc-args = ["--cfg", "docsrs"] - [badges] maintenance = { status = "actively-developed" } diff --git a/build.rs b/build.rs @@ -1,12 +0,0 @@ -use rustc_version::{version_meta, Channel}; - -fn main() { - // Set cfg flags depending on release channel - let channel = match version_meta().unwrap().channel { - Channel::Stable => "CHANNEL_STABLE", - Channel::Beta => "CHANNEL_BETA", - Channel::Nightly => "CHANNEL_NIGHTLY", - Channel::Dev => "CHANNEL_DEV", - }; - println!("cargo:rustc-cfg={}", channel) -} diff --git a/src/lib.rs b/src/lib.rs @@ -12,7 +12,7 @@ #![feature(btree_cursors)] #![feature(byte_slice_trim_ascii)] #![feature(io_error_more)] -#![cfg_attr(all(doc, CHANNEL_NIGHTLY), feature(doc_auto_cfg))] +#![cfg_attr(doc, feature(doc_auto_cfg))] #![deny( future_incompatible, let_underscore, diff --git a/src/main.rs b/src/main.rs @@ -2,7 +2,7 @@ //! //! Consult [`README.md`](https://crates.io/crates/rpz). #![feature(never_type)] -#![cfg_attr(all(doc, CHANNEL_NIGHTLY), feature(doc_auto_cfg))] +#![cfg_attr(doc, feature(doc_auto_cfg))] #![deny( future_incompatible, let_underscore, diff --git a/src/priv_sep.rs b/src/priv_sep.rs @@ -17,13 +17,14 @@ use std::{ #[derive(Clone, Copy)] pub struct Zst; /// Calls `pledge` with only the sys calls necessary for a minimal application -/// to run. Specifically, the `Promise`s `Cpath`, `Inet`, `Rpath`, `Stdio`, `Unveil`, and `Wpath` +/// to run. Specifically, the `Promise`s `Cpath`, `Dns`, `Inet`, `Rpath`, `Stdio`, `Unveil`, and `Wpath` /// are passed. #[cfg(all(feature = "priv_sep", target_os = "openbsd"))] #[inline] -pub fn pledge_init() -> Result<Promises<6>, Error> { +pub fn pledge_init() -> Result<Promises<7>, Error> { let promises = Promises::new([ Promise::Cpath, + Promise::Dns, Promise::Inet, Promise::Rpath, Promise::Stdio, @@ -48,7 +49,7 @@ pub const fn pledge_init() -> Result<Zst, !> { /// instead of an RPZ file. #[cfg(all(feature = "priv_sep", target_os = "openbsd"))] #[inline] -pub fn pledge_away_create_write(promises: &mut Promises<6>) -> Result<(), Error> { +pub fn pledge_away_create_write(promises: &mut Promises<7>) -> Result<(), Error> { promises.remove_promises([Promise::Cpath, Promise::Wpath]); promises.pledge() } @@ -62,7 +63,7 @@ pub fn pledge_away_create_write(_: &mut Zst) -> Result<(), !> { /// Removes `Promise::Unveil`. #[cfg(all(feature = "priv_sep", target_os = "openbsd"))] #[inline] -pub fn pledge_away_unveil(promises: &mut Promises<6>) -> Result<(), Error> { +pub fn pledge_away_unveil(promises: &mut Promises<7>) -> Result<(), Error> { promises.remove(Promise::Unveil); promises.pledge() } @@ -73,11 +74,11 @@ pub fn pledge_away_unveil(promises: &mut Promises<6>) -> Result<(), Error> { pub fn pledge_away_unveil(_: &mut Zst) -> Result<(), !> { Ok(()) } -/// Removes `Promise::Inet`. +/// Removes `Promise::Dns` and `Promise::Inet`. #[cfg(all(feature = "priv_sep", target_os = "openbsd"))] #[inline] -pub fn pledge_away_net(promises: &mut Promises<6>) -> Result<(), Error> { - promises.remove(Promise::Inet); +pub fn pledge_away_net(promises: &mut Promises<7>) -> Result<(), Error> { + promises.remove_promises(Promises::new([Promise::Dns, Promise::Inet])); promises.pledge() } /// No-op that always returns `Ok`. @@ -90,7 +91,7 @@ pub fn pledge_away_net(_: &mut Zst) -> Result<(), !> { /// Removes all `Promise`s except `Stdio`. #[cfg(all(feature = "priv_sep", target_os = "openbsd"))] #[inline] -pub fn pledge_away_all_but_stdio(promises: &mut Promises<6>) -> Result<(), Error> { +pub fn pledge_away_all_but_stdio(promises: &mut Promises<7>) -> Result<(), Error> { promises.retain([Promise::Stdio]); promises.pledge() } @@ -192,10 +193,7 @@ pub fn unveil_read_file<P: AsRef<Path>>(_: P) -> Result<(), !> { pub fn unveil_https() -> Result<(), UnveilErr> { /// The path to the root certificate store. const CERTS: &str = "/etc/ssl/cert.pem"; - unveil_read_file("/dev/urandom").and_then(|()| { - unveil_read_file("/etc/resolv.conf") - .and_then(|()| unveil_read_file(CERTS).map(|()| env::set_var("SSL_CERT_FILE", CERTS))) - }) + unveil_read_file(CERTS).map(|()| env::set_var("SSL_CERT_FILE", CERTS)) } /// No-op that always returns `Ok`. #[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]